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ABSTRACT 

As the number of computers and computer systems in existence has grown over 
the past few decades, we have come to depend on them to maintain the security of private 
or sensitive information. The execution of a program may cause leaks of private or 
sensitive information from the computer. Static secure flow analysis is an attempt to 
detect these leaks prior to program execution. 

It is possible to analyze programs by hand, but this is often impractical for large 
programs. A better approach is to automate the analysis; which is what this thesis 
explores. 

We describe some previous research and give background information about 
secure flow analysis. A secure flow analyzer is presented. It implements a secure flow 
type inference algorithm, for a subset of Java 1.0.2, using a parser generator called Java 
Compiler Compiler (JavaCC). Semantic actions are inserted into a grammar specification 
to perform the secure flow analysis on a given program. 
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I. INTRODUCTION 



The number of computers and computer networks has exploded over the past few 
decades, and computer security is a major concern. In a multi-level system where 
information exists with different security classifications, such as a military computer 
system, we want to protect information with a high security classification. It is desirable 
to have an automated tool to detect whether information we wish to keep secret in 
applications remains secret and is not leaked. This thesis introduces a program that will 
statically analyze a subset of Java programs to ensure that private information is not 
leaked. 

A. SECURE INFORMATION FLOW 

Verifying secure information flow within computer systems is necessary in order 
to protect sensitive information, especially in a military system. Denning and Denning 
state that information flow occurs from a storage object x to another storage object y 
when information stored in x is transferred to y, or used to derive information transferred 
to y. A flow may be either explicit or implicit [1]. 

Explicit information flow occurs when information is directly copied or 
transferred from one storage object to another. Consider the code segment "y := x". The 
information contained in x is directly copied into y, so information flows from x to y. 

The flow from x to y is independent of the value stored in x. 

Implicit flow occurs when information is indirectly copied or transferred from one 
storage object to another. If the variable x contains either 0 or 1, then the following code 
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segment will copy the value of x into y using an implicit flow: 

y := 0; if (x = 1) then y := 1 

In this case, there is no direct flow from x to y. However, the value of x determines 
whether the then statement will be executed. The flow in both of these examples is 
allowed only if the security classification of y is at least that of x. For instance, if x were 
classified high then y must also be classified high in order for the code to be secure [1]. 

B. A TYPE-BASED TREATMENT OF SECURE INFORMATION FLOW 
Goguen and Meseguer introduced a notion of security for deterministic computer 

systems called noninterference [2]. The basic idea is that a system has users who may 
supply information with various security classifications to the system. A system satisfies 
the noninterference property if its low-level outputs remain the same when its high-level 
inputs are changed. 

Volpano and Smith [3] have applied this idea to programming languages. When 
applied to languages, the idea is that low-level program outputs are unaffected by 
changes in high-level program inputs. 

C. A TYPE INFERENCE ALGORITHM 

Volpano and Smith go on to describe an algorithm that is defined by cases on the 
phrases of a simple imperative language. The evaluation of an expression returns a 
principal type and a set of typing constraints. A typing constraint is an inequality 
between two types that are security levels. For example, if x is type high and x' is type 
low then x' < x is a constraint. Note that x' = x is equivalent to x' < x and x < x'. It is 

important to note also that the algorithm produces constraints among type variables, 
where a type variable ranges over types like high and low. Constraint-set satisfiability 



can be used on the set of constraints to determine whether illegal flows exist in the 
program being analyzed, for instance, if a constraint set contains high < low. 

The classifications, or types, over which type variables range, depend on the 
system being modeled. In a typical military system, the types would be unclassified, 
confidential, secret, and top secret. For the purposes of this discussion, we consider a 
simple system of only two types, high and low, where low < high. 

As an example of how the algorithm works, consider the case of the preceding 
assignment statement, y := x. Assuming x and y have already been assigned the type 
variables To and ii respectively, the following set of constraints will be generated by the 
type inference algorithm: 

{X 0 <X 2 , Ti =- X 2 , X 3 <X 2 } 

Therefore, the principal type of the expression is x 3 ctnd. The constraint set can be 
simplified to {xo< xi, x 3 < xi}. So, for the assignment statement y := x, the algorithm 

states that the classification of y must be at least as high as the classification of x. The 
second constraint allows downward coercion on command types [7], 

D. AN IMPLEMENTION OF THE ALGORITHM 

This thesis presents a Java program that implements the type inference algorithm. 
The program is generated from a specification that is input to a compiler compiler called 
JavaCC. JavaCC is a tool that reads a grammar specification written in a LEX/ YACC- 
like manner and converts it into a parser for the grammar. The algorithm was 
incorporated into a grammar specification for Java 1.0.2 supplied with the JavaCC 
distribution. The actions specified by the algorithm were performed by adding Java code 
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(semantic actions) to the corresponding productions in the grammar specification. The 
generated parser is a secure flow analyzer for a subset of Java. Several statements, 
expressions, and other Java functionality were removed from the grammar specification 
because they are not currently supported by the type inference algorithm 
E. THESIS ORGANIZATION 

Work in the area of secure information flow and a lattice model of secure 
information flow are discussed in Chapter II, followed by a description of the secure flow 
type system in Chapter III. The type-inference algorithm is discussed in Chapter IV. In 
Chapter V, the static analyzer and the Java subset we consider are discussed. Chapter VI 
gives an example run of the analyzer, and Chapter VII discusses some possible future 
work and presents conclusions about secure flow analysis and the static analyzer. 
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II. THE LATTICE MODEL OF SECURE INFORMATION FLOW 



The security mechanisms of most computer systems do not attempt to detect or 
prevent insecure information flows. Computer system security requires that programs at 
high security levels be unable to transfer information to low security users or programs. 
Most access control mechanisms are concerned with direct access control and are not 
concerned with information flow channels that may exist. Other systems rely on the 
trustworthiness of processes [5]. 

In the lattice model of secure flow, a flow policy is represented by the poset 
<S, ->> [5], S is a set of security classes and -> is a partial order, called the flow 
relation. The flow relation specifies permissible flows between the security classes. 

Every variable x is assigned a security class, denoted x, that is statically bound to x and 
that can be determined at compile time from declarations given in the program. If x and 
y are variables in a program and an information flow from x to y exists, then the flow is 
allowed if x y [6], 

Each programming construct has a certification rule. Some rules, such as 
assignment statements, certify explicit flows and other rules, such as if statements, certify 
implicit flows. An assignment statement, x := y, will be certified if x y. The rules for 
conditional constructs such as the following if statement certify implicit flows. 

if x = 0 then y := 0 else z := 1 
This statement is certified if x y and x z. 

If the poset <S, -^> is a lattice, then there is a unique least upper bound and 
greatest lower bound for any pair of classes. A simple grammar consisting of synthesized 

attributes can be given to certify programs. The attributes are security classes computed 
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using the least upper bound, lub, and greatest lower bound, gib, operations. For example, 
the certification requirement for the above if statement becomes the single condition 
x->glb(y,z) [6]. 
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III. A SECURE FLOW TYPE SYSTEM 



Volpano. Irvine, and Smith describe a type system consisting of a set of type 
inference rules and axioms for deriving typing judgements. The types of the system are 
divided into three levels. One level contains data types, which we refer to as r types. 
These are the security classes of Denning's model and they are partially ordered, for 
example, low < high. 

At the next level, are the n types. They consist of the data types r. command 
types t cm d and the procedure types 

r proc( T| , i2 var, acc) 

A variable of type r var means it can store information at level r. A command has type 
r cmd only if every assignment in the command is made to a variable whose security 
level is r or higher. Lastly, the r in the above procedure type refers to the security level 
of its body. That is, a call to a procedure of this type would have type x cmd. 

At the third and final level are the p, or phrase, types. They consist of are the 
n types, type r var and type x acc (we ignore type r acc). So, our procedure types, in this 
this, are of the form: 

r proc(z\ var,..., r n var) 

The partial order on x types is extended to a subtype relation over phrase types. 
The subtype relation is anti-monotonic in the types of the commands, meaning if t is a 
subtype of r', then t' cmd is a subtype of x cmd. The intuition here is that if one can read 
level T (high) information then they can read level r (low) information. There is also a 
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typical type subsumption rule that states if a phrase has type p then it can be assigned a 
type p' if p is a subtype of p' [7]. 

The typing rules of the system guarantee secure explicit and implicit flow. 

Consider the typing rule for assignment: 

y |- x : r var 

r |- e : r 

y |- x := e : rcmd 

where y is an identifier typing that maps identifiers to p types. The rule states that the 
explicit flow from expression e to variable x is secure if e and x have the same security 
level. This does not prevent e from having a lower security level than x, because 
subtyping allows the level to be coerced upward. 

The next example shows a rule that deals with a situation where an implicit flow 
exists. Consider the following program phrase where x is either 0 or 1 : 
if x = 1 then y := 1 else y := 0 

There is no explicit flow from x to y, but when the phrase is executed, y will contain the 
value of x. To guarantee the implicit flow from x to y is secure, the following typing rule 
is used: 

y |- e : r 
y |- c : r cmd 

y|- c' : rcmd 

y\- if e then c else c' : t cmd 

The commands c and c' must have type r cmd. because information of type r is implicitly 
known by evaluating the predicate e. Therefore c and c' can only make assignments to 
variables at security level r or higher. The rule requires e, c, and c' to have the same 
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security level, namely r. Nevertheless, an upward implicit flow from e to c and c' can be 
accommodated by subtyping. 

There is also a rule for local variable declarations. A local variable declaration of 
the form 

letvar x := e in c 

creates a variable x with an initial value e, whose scope is command c. The initialization 
of x may cause an implicit flow, but it is always harmless. 

Two lemmas are needed to prove type soundness: Simple Security and 
Confinement. Simple Security applies to expressions and Confinement applies to 
commands. If an expression e can be assigned type r, then Simple Security states that 
only variables of type for lower will be read when e is evaluated (no read up). 
Confinement says that if a command c can be assigned type z cmd , then every variable 
that is updated in c has security level r or higher (no write down). These two lemmas are 
used to prove that the type system is sound. Soundness is formulated as a 
noninterference property. The noninterference property states that variables in a well- 
typed program do not interfere with variables at lower security levels. 

It is possible to automatically check whether a program is well typed, using the 
techniques of type inference. The basic idea of type inference is to use type variables to 
represent unknown types in a program, and to generate constraints in the form of 
inequalities. An assignment of types to these variables must satisfy the constraints in 
order for the program to be well typed with respect to that assignment. A principal type 
can be formulated that represents all possible types the program can be given. 
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IV. A SECURE FLOW TYPE INFERENCE ALGORITHM 



A type inference algorithm that ensures secure information flow is described in 
this chapter. Volpano and Smith have extended the type system discussed in the previous 
chapter to a simple language with first order procedures [3], They also prove the 
noninterference property for the system in order to establish the type soundness in the 
context of procedures. Figure 1 shows the core language they considered. 

expressions ::= x | n \ I \ 
e,+e 2 \ 

proc(in X/, inout x 2 . , out xj) c 

commands ::= c 2 ; c 2 | 

if e then cj else c 2 \ 
while e do c \ 
ei := e 2 \ 

letvar x := e in c \ 

letproc x (in X/, inout x 2 , out X5) c in c' \ 
e(e h e 2 ,e 3 ) 

Figure 1 . Core Language 

For expressions, meta- variable x ranges over identifiers, n ranges over integer literals, 
and / ranges over locations. Expressions also consist of anonymous procedure 
expressions. Their names are provided via letproc. 

Commands consist of the following: composition of commands, if, while loops, 
assignment, variable declarations, procedure declarations, and procedure calls. 

Volpano and Smith give a secure flow type inference algorithm in [3], It is shown 
in Figure 2 and is defined by cases on the phrases of the core language. The algorithm 
takes as inputs a location typing A, an identifier typing y, a program phrase p, and a set of 
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W (A, 7, p, V) = c aae p of 
x : case 9(x) of 

f : ({r <a},a, VU {a}) a^V 

r t tar : ({? < or}, or, V U {or}) a g V 
default : fail 

n:({},*,Vu{a}) a^V 
MW0<<*},a,VU{a}) <*tV 

Cl 4 - C2 ' 

let (Ci.n,n*W(A,7.ei,V) 
let (Oi t n,V")=^(A t 7,ea > n 
in (Ci UCaUfn = **},n,V"') 

proc (in *1, inout x 2 , out xs) c : 

let (C,r cmd, V') *= W(A,t[xi : ar,xa : fi t*jr,X3 : 6 acc],c, V U {<*,/?,£}) 
in (C,r prt)c(of, 0 oar, 6 acc), V*) ar, 0 and $ £ V 

ci; *:kfe( 4 ,n cmd,V # )-H'(A,T,ei f V) 

let (C 2 .T 2 cmd,V")=W{ A,7,c a ,V0 
in (Ci UCaU(n = t^}, n crad, V*') 

if e then cj else ca : 

let (C,r,l^ = !?(*, ?,e,V) 

let (Ci,n cmd l K w )= W^(A, 7, ci, VO 

let (Ci.n cmd,V"")« W(A,7,ca,V") 

in (C U Ci uCa U{?= ri = 7^, a < r}, a cmd, V"' U {a}) a 0 V"' 

while e do c : 

tet(C.?,V # )«ll'<A i 5 l e,V) 

let (C*, ? cmd , V*) = W(A, T» c, V) 

in (CUCujrs^cr < cimf, V" U {o}) a 0 V" 

^(C^n-Mr^^V) 

case €1 of 

x : if 7 (x) = r oar or 7(1) = r acc then 

(CU{r = ? |tf <?},o cmd, V' U {a}) a * V' 
else fail 

J : (CU {A (0 =?,a<?},a cmd, V # U {a}) a $V‘ 
default : fail 

ietvar x :» e in c : 

let(C,f,V0 = ^(A,7,e,V0 

let {C*, r cmd, V") « ^(A, 7I* : r oar], c, V") 

in (CUC*,? cmd, V**) 

letproc x(in xi, inout xa, out xs) c in e' : 

let (C,*, V") = ^(A, 7, proc (in ri, Inout x», out x») c, V) 
let (C*,f cmd,^") = ^(A, 7, [proc (in xi, inout ra, out x s ) c/x]e\V f ) 
in (CU(T,rcmd,K M ) 
e(<i,ea,C3y • 

let (C,f proc(n, ri wr, n acc)>V')z=W{ A,7,e,K) 
let (C* ,r*,V") == H^(A,7 ,ci, K') 
let C" = caae ca of 

x: if t(x) = r" var then CUC'uj? = n, r* at r*j} dbe fail 
/: CUC # U{r # = n,A(0 = n} 
default : fail 
in case ej of 

* : if oar or 9 (x)*=r^ acc then (C"U {?" « ft},? cmd, V") 

dbe fail 

l : (CT U {A (l) = ft},? cmd, V") 
default : fail 



Figure 2. Volpano-Smith Type Inference Algorithm 
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type variables V. A location typing maps addresses to r types and an identifier typing 

maps variables to types t and r var , for some r. The latter treats free variables in a 

program, while the former treats free addresses. We shall assume programs have no free 

addresses, and drop A from the implementation of the type inference algorithm. The set V 

contains a list of previously-used type variables and allows the algorithm to choose new 

\ 

type variables. If the algorithm succeeds, it returns a triple consisting of a set of 
constraints C, a type n, and the updated set of stale variables V. The constraints in C are 
inequalities among type variables. 

To illustrate how the algorithm works, we give an example from [3], shown in 
Figure 3, of a procedure that indirectly copies a variable x to another variable y. 

proc (in x, out y) 
letvar a := x in 
let var b := 0 in 
while a > 0 do 
b := b + 1; 
a := a - 1; 
y :=b 

Figure 3. Example Program 

Figure 4 shows the results of calling the algorithm on the procedure. The algorithm yields 
a triple consisting of a set of stale type variables V, the list of generated constraints and 
the type of the procedure, here denoted by n . This triple is used to form the principal 
type for the procedure. 

Type simplification can be used to simplify the constraint set C and type n [8]. 
The static analyzer developed for this thesis does not include any mechanism to perform 
type simplification and such simplification is shown here for demonstration purposes 
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V = { a. y, v, o, e, i . £ v, 8, 7], 6, k, X, p. £,\ 

C = { a < y, v o, £ = i, v < s, s = y < s, i = v, 8 = rj, i < 8, 

r) = d, 8 < 7], y = k v < y, k = X, y < k P 4> ° <P, 8 < $} 

7i — ( v proc( a, P acc )) 

Figure 4. Algorithm Results of Sample Program 

only. The first step collapses the strongly connected types and produces a more useful 
form, as shown in Figure 5. 



V= {a, o, 8,& 

C= {8<$o<X, X<8, cx<X} 

7i= (o proc(<x £acc)) 

Figure 5. Algorithm Results after Type Simplification 
Further simplification is possible leading to the n in Figure 6. 



7i = (£proc(£ %acc)) 

Figure 6. Principal Type after Applying Monotonicity-Based Instantiations 
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V. IMPLEMENTATION OF THE TYPE INFERENCE ALGORITHM 



The static analyzer that performs the security checks specified by the type 
inference algorithm was developed using the Java Compiler Compiler (JavaCC). JavaCC 
takes, as input, a grammar specification. The output is a Java program that will parse the 
specified language and perform the semantic actions indicated in the grammar 
specification. 

Rather than start from scratch and build a JavaCC specification for the language 
in Figure 1, we started with a grammar specification for Java 1 .0.2, which we modified to 
reflect the language in Figure 1. Semantic actions were added to encode the type 
inference algorithm. The specification is given in Appendix A. There are several 
restrictions imposed on the kinds of Java programs that the static analyzer can check 
because there are many constructs in the Java language that are not currently treated in 
the type inference algorithm. Each of the phrases in Figure 1 was mapped to a 
corresponding expression or statement in the Java grammar specification. 

A. A BRIEF LOOK AT JAVACC 

JavaCC constructs a Java program that acts as a recursive descent parser for the 
language described by the grammar specification. A sample from the Java 1.0.2 grammar 
specification is shown in Figure 7. The sample shows three productions that are used to 
parse a Java method declaration and parameters. JavaCC converts each production into a 
method in the generated parser. 
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void MethodDeclarator ( ) : 

U 

{ 

<IDENTIFIER> FormalParameter s ( ) ( "[" "]” )* 

} 

void FormalParameters ( ) : 

{ } 

{ 

"(" [ FormalParameter () ( " FormalParameter ( ) )* ] ")" 

} 

void FormalParameter ( ) : 

{ } 

{ 

Type() VariableDeclarator Id ( ) 

} 



Figure 7. Sample Productions 

Each production begins with the return type of the corresponding method in the 
parser, which is void for the three productions in Figure 7. The name of the production 
will also be the name of the method in the parser. Parameter passing can be adding to the 
productions in the same way it is used in Java programs. 

There is a notion of "calling" a production because of its relationship with the 
corresponding method in the generated parser. For example, if the production 
FormalParameter ( ) in Figure 7 is called, it will in turn call the productions 
Type ( ) and VariableDeclaratorld ( ) . 

Java code can be added anywhere in the production, but must be enclosed in curly 
braces, "{ When JavaCC converts the production into its corresponding method, the 
added code will remain where it was placed. Local variable declarations for any 
production should be inserted in the first set of curly braces of that production. In the 
three productions shown in Figure 7, there are no local variable declarations. 
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B. 



IMPLEMENTING THE ALGORITHM USING JAVACC 



There are two main data structures in the implementation of the algorithm. The 
first is called gamma, and contains identifier typings. The second is called triple, and 
consists of the items returned by the type inference algorithm, namely, a set of constraints 
C, a type n, and a list of stale type variables V. 

The initial attempt to implement the algorithm used two Stacks from the Java 
utility package. The gamma stack held objects called gamma items. A gamma item 
consisted of a variable name and its type variable. The triple stack contained the triple 
items consisting of the constraint set in the form of a linked list and the principal type. 

The set of stale type variables was kept in a separate symbol generator for the entire 
program. 

The idea of the gamma stack was to push a gamma item whenever a new variable 
was encountered and to pop the stack when the variable's scope ended. It became 
apparent that determining when the variable's scope ended was going to be a difficult task 
unless the analyzer kept track of more information about the variables being declared. 

The analyzer soon had four separate stacks to keep track of the important information. 

The triple stack had similar problems. 

It was determined that all of the external stacks could be eliminated if the run time 
stack was utilized. In this implementation, gamma became a linked list of gamma items 
that is passed as a parameter from one production to those productions it calls. In 
addition, each production returns a triple that contains all the constraints generated in the 
program. This did pose one problem. A local variable declaration requires an update to 
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the gamma list with the variable's type information and it also requires the generation of a 
new triple item. Both must be returned to the calling production. 

This problem may be overcome by adding new productions to the specification 
but the productions were not added in this implementation. Instead, a new data structure 
was developed to simply hold the new gamma list and the generated triple so that both 
the gamma list and the generated triple could be returned. The structure, called Dual, was 
later updated to also hold a string when a similar situation arose in the method declaration 
production that required a gamma list and the string representation of a token to be 
returned. 

Each of the commands and expressions of the core language listed in Figure 1 are 
"mapped" to one or more productions in the Java 1 .0.2 grammar specification. Mapping 
the algorithm to the Java specification was performed in two steps. The first step was to 
determine which productions in the grammar specification correspond to commands or 
expressions in the core language. Once the relationship between the core language and 
grammar specification was established, the second step entailed encoding the semantic 
actions specified by the algorithm and placing the code in the corresponding productions 
of the grammar specification. We consider, in turn, each of the cases of the algorithm in 
Figure 2. 

Case V 

The Name ( ) production in the grammar file is an instance of case x. Name ( ) 
returns a string representation of the current token when the production is called. The 
type inference algorithm requires the type of x, t or r var, to be determined. The type 
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resolution of the token that corresponds to x is performed within the production that calls 
Name ( ) . 

Case "n" 

The Literal ( ) production is an instance of case n. Literal ( ) accepts the 
Java primitive types of integers, floating point numbers, characters, strings, boolean 
values "true" and "false", and "null". 

Case ”1” 

The third case statement, /, deals with locations and is not implemented in the 
Java grammar. 

Case "ei + e?" 

The expressions below are all instances of case ei + e2: 

ConditionalOrExpression ( ) 

ConditionalAndExpression () 

InclusiveOrExpression ( ) 

ExclusiveOrExpression ( ) 

AndExpression ( ) 

EqualityExpression ( ) 

RelationExpression ( ) 

Shif tExpression ( ) 

AdditiveExpression ( ) 

MultiplicativeExpression ( ) 

Case "proc(in xi, inout X2, out X3) c" 

The case in the algorithm for procedure declarations has the following form: 

proc(in xi, inout X2, out X3) c 

The modes of the parameters, in; inout; and out. are similar to those used in the Ada 
programming language. The productions dealing with procedures starts with the 
MethodDeclaration ( ) production. The name of the procedure and the parameters 
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are treated in a call to the MethodDeclarator ( ) production. The parameters are 
added to the environment with a call to the Formal Parameters ( ) production so they 
may be referenced in the body of the procedure. MethodDeclarator ( ) returns the 
procedure name and the types of the parameters. All parameters are considered to be 
inout mode and are typed as such, meaning they have type r var for some r. Finally the 
body of the procedure, c. is handled in a call to the Block ( ) production. The static 
analyzer does not handle recursive procedures or method declarations. 

Case "ci; c 2 " 

Next in the algorithm is the statement for composition, ci; c 2 . Composition within 
a block, delimited by { }, is handled by the BlockStatementList ( ) production. 

The original Java grammar specification handled composition in the Block ( ) 
production. It was necessary to add the production BlockStatementList ( ) to 
handle the letvar statement. Changes to the grammar specification for the letvar 
statement are explained later in this section. 

Case "if e then ci else c 2 " 

If-then-else statements are handled by the If Statement ( ) production in the 
grammar specification. The else portion of the statement is not mandatory in Java. If it 
is not used, then the semantic actions in the algorithm pertaining to the else statement are 
not executed. 

Case "while e do c" 

The next case is the while loop of the form, while e do c. It has been mapped to 
both the WhileStatement ( ) and DoStatement ( ) productions in the Java 
specification. 
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Case "x := e" 



The assignment statement x := e is mapped to Assignment ( ) . Note that " : =" 
is not the only assignment operator allowed; others include: and 

A modification to the grammar specification was required here. The Java 1.0.2 grammar 
specification Assignment ( ) production is listed in Figure 8. The production, 
PrimaryExpression ( ) , may be evaluated as a literal ( ) , Name ( ) , 
Expression (), or AllocationExpression () . PrimaryExpression ( ) is 
also called from a number of other productions as well and those productions require that 
PrimaryExpression ( ) return a triple consisting of a constraint set, a type, and a list 
of stale type variables. However, the Assignment ( ) production requires that 
PrimaryExpression ( ) return the type of x from the identifier typing y. For this 
reason, a new production, PrimaryLeftExpression ( ) , was introduced into the 
Grammar specification. It returns the string representation of x, so that it may be 
referenced in y, and replaces PrimaryExpression ( ) in the Assignment () 
production. 

void Assignment () : 

{ } 

{ 

PrimaryExpression ( ) AssignmentOperator ( ) Expression ( ) 

} 



Figure 8. Assignment Production 
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Case "letvar x := e in c" 



Mapping the letvar statement to the Java language required another modification 
to the Java grammar specification. The original specification handled local variable 
declarations at the same level as all other statements within BlockStatement ( ) . The 
original Java specification productions that handle local variable declarations are shown 
in Figure 9. 



void Block () : 

{ 1 
{ 

"{" ( BlockStatement () )* "}" 

} 

void BlockStatement ( ) : 

{ 1 
1 

LOOKAHEAD (Type ( ) <IDENTIFIER>) 

LocalVariableDeclaration ( ) 

I 

Statement ( ) 

1 

void LocalVariableDeclaration ( ) : 

II 
1 

Type ( ) VariableDeclarator ( ) ( VariableDeclarator ( ) )* 

} 



Figure 9. Java Specification Productions to Handle Local Variable Declarations 
In the original grammar specification, composition is handled in the Block ( ) 
production. The * operator indicates that the production(s) within the preceding set of 
parentheses is called zero or more times. Two new productions, 

BlockStatementList ( ) and LetvarStatement ( ) , were added to the grammar 
specification because it is necessary to pass the identifier typing y, updated with a typing 
for x, to the production that parses c in letvar x = e in c. The original Java 1.0.2 grammar 
specification had no productions specified for c, so BlockStatementList ( ) was 
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introduced to handle this problem. In the modified grammar specification. Block ( ) 
calls BlockStatementList ( ) once per BlockStatement ( ) . 
BlockStatementList ( ) , the production used to handle composition, calls 
BlockStatement ( ) zero or more times. BlockStatement ( ) calls 
LetvarStatement ( ) if a local variable declaration is found, otherwise. 

Statement () is called. LetvarStatement ( ) first calls 
LocalVariableDeclaration ( ) to handle the declaration, then 
BlockStatementList ( ) to parse the rest of the program that is within the scope the 
new variable. The section of the modified grammar file is listed in Figure 10. 

Case "letproc x(in Xi, inout X 2 , out X 3 )c in c' " 

The next case in the type inference algorithm, letproc, allows procedures to be 
used polymorphically and was not implemented in the Java grammar specification. 
Therefore, all procedures are treated as monomorphic in the analyzer specification. 
Moreover, only static methods are allowed because that is the only kind of method the 
algorithm treats. 

Case "e(ei, e 2 , ej)" 

The final case in the algorithm types procedure calls. The Java specification 
handles procedure calls in the PrimaryPref ix ( ) production. First, the 
name of the procedure is found in the identifier typing , y, then the types of the arguments 
are compared with those retrieved from y. The original grammar specification for Java 
allowed arguments to be expressions. In the modified specification, all parameters must 
be either a literal or a previously declared and initialized variable name. 
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void Block ( ) : 

{ } 

( 

”{" BlockStatementList ( ) ")" 

} 

void BlockStatementList ( ) : 

( } 

I 

( LOOKAHEAD (2) BlockStatement ( ) )+ 

} 

void BlockStatement ( ) : 

{ 1 
( 

LOOKAHEAD ( Typed <IDENTIFIER> ) 

LetvarStatement ( ) 

I 

Statement ( ) 

} 

void LetvarStatement () : 

( } 

( 

LocalVariableDeclaration ( ) BlockStatementList ( ) 

} 

void LocalVariableDeclaration ( ) : 

{ ) 

{ 

Type ( ) VariableDeclarator ( ) ( VariableDeclarator ( ) )* 

) 



Figure 10. Specification Changes for letvar Statement 



All of the source code files used to implement the static analyzer are given in 
Appendix B. 



C. RESTRICTIONS IMPOSED ON PROGRAMS 



The type inference algorithm in [3] does not treat an object-oriented language like 
Java. Although we started with a JavaCC specification for Java, the result was not an 
analyzer for full Java but rather an analyzer for that subset of Java corresponding to the 
simple language in Figure 1. So how big is this subset? 
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First, the subset that can be analyzed has no objects, and consequently no instance 
variables or instance methods. 

Second, all expressions must be free of any side effects. This is the reason that 
assignment expressions in Java are prohibited, as are pre and post increment 
"expressions". They all violate the confinement property. 

Other restrictions on Java programs include that they be closed (no free 
variables), that they have only non-recursive static methods, that they have no methods 
with a return type other than void, and that they have no forward references. Yet, other 
restrictions are imposed because certain constructs were not treated in the algorithm of 
[3], They include try-catch blocks, synchronized blocks and so on. In summary, the 
following features of Java are not analyzed: 

1. Static Initializes 

2. Arrays 

3. Explicit Constructor Invocation 

4. Conditional Expressions 

5. Instanceof Expressions 

6. Preincrement and PreDecrement Expressions 

7. Postincrement and PostDecrement Expressions 

8. Cast Expressions 

9. Allocation Expressions - (object creation) 

10. Labeled Statements 

1 1 . Switch Statements 

12. For Statements 

13. Break Statements 

14. Continue Statements 

15. Return Statements 

16. Throw Statements 

17. Synchronized Statements 

18. Try Statements 

1 9. Catch Statements 

20. Finally Statements 
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The constructs that have been disallowed have only been commented out in the 
grammar specification file listed in Appendix A in order to allow for their 
implementation in the future. This means they cannot be parsed in the current 
implementation. 
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VI. AN EXAMPLE RUN OF THE STATIC ANALYZER 



The program in Figure 1 1 illustrates an application of the static analyzer. It 
corresponds to the example program of Figure 3, in Chapter III, written in Java. 
However, it is not identical, for Java has no parameter-passing mode corresponding to 
mode out. Nevertheless, it serves to illustrate the analyzer. The results of the static 
analyzer when run on this program are shown in Figure 12. 



class test 
{ 

public static void p(int x, int y) 
{ 

int a = x; 
int b = 0; 
while (a > 0) { 
b = b + 1; 
a = a - 1 ; 

} 

y = b; 

) 

) 



Figure 1 1 . Static Analyzer Test Program 



V — {to, Ti, T2, T3, T4, T5, t6, T7 , Tg, T9. Tjo, Xu, T12, T13, T14} 

C = {ti4 = T12, T12 < T 4 , Tg = t4, T 5 = T 4 . 12 < X 4 , Tn = Tg, Tg < T 6 , T 6 = T 3 , T7 = X 6 , 

X3 < X 6 . Xi 1 < X 9 , X 9 = X 2> X10 = X 9 , X 2 < X 9 , X14 < T13, X) = X13, X 3 < X13, X 0 < X 2 } 

7t = T 12 proc(xovar, xivar) 

Figure 12 . Test Program Results 

We sketch a trace of the analyzer on part of the program. The parameters, x and 
y, are the first tokens to be analyzed. They are assigned the type variables To and x\ 
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respectively. Then the variable declaration: 

int a = x 

is analyzed. A new type variable for x. namely 12. is created and the constraint set 
{to < 12} is generated. The constraint is generated by the case for identifiers where an 

upward coercion is introduced (see Figure 2 ). The variable a is assigned the type 
variable T2 in analyzing the rest of the program. 

Next, the variable declaration: 

int b = 0 

is analyzed in the same manner, except that no constraint is generated since 0 is an 
integer. This is the integer literal case of the type inference algorithm. Finally, b is 
assigned the type variable T3. At this point, gamma contains the following types: 

{x : To , y : ti, a : i2, b : t 3 } 
and only one constraint, Xo < X2, exists. 

Next, the while loop 

while(a > 0) 

is analyzed. The predicate, a > 0, is checked first and generates the following new 
constraints: 

X2 < X4, X4 = X5 

The first comes from the identifier case of the algorithm (upward coercion of a's type) 
and the second comes from x, = x 2 in the case for ei + e2 in the algorithm of Figure 2 , 
where x, = x 4 and x 2 = x 6 The rest of the program is analyzed in the same manner. 
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VII. CONCLUSIONS 



As we rely more on computer systems, secure flow analysis is a necessary tool to 
protect the information stored on these systems. Denning's work [1] [5] provides a good 
base of knowledge for secure information flow. The Lattice Model consists of a set of 
storage objects, a set of processes, and a set of security classes. Each storage object is 
bound statically or dynamically to a security class. Security classes are required to form 
a lattice, hence the name. A flow relation indicates permitted information flows between 
security classes. The lattice shows all allowed information flows within the system. 

Volpano and Smith [3] treat the model in the context of a type system and prove 
the soundness of the type system. They also give a type inference algorithm for the 
system. This thesis describes an implementation of that algorithm using JavaCC. The 
result is a static analyzer that checks for secure information flow at compile-time. 

The static analyzer can only analyze a subset of the Java 1 .0.2 language. It may 
be too limited to allow one to write interesting and useful programs. Future work might 
focus on analyzing a larger subset of Java. 
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APPENDIX A - JAVA GRAMMAR SPECIFICATION 



The following pages represent the modified Java 1.0 2 grammar specification that 
is the input to the Java Compiler Compiler The original grammar file was developed by 
Sriram Sankar on 6/1 1/96 and is copyrighted by Sun Microsystems Inc. Semantic actions 
were added to the original grammar to perform secure flow analysis on a subset of Java 
1 .0.2 programs 



33 



/** 

'k 

* Copyright (C) 1996, 1997 Sun Microsystems Inc. # 

★ 

* Use of this file and the system it is part of is constrained by the 

* file COPYRIGHT in the root directory of this system. You may, 

* however, make any modifications you wish to this file. 

* 

* Java files generated by running JavaCC on this file (or modified 

* versions of this file) may be used in exactly the same manner as 

* Java files generated from any grammar developed by you. 

* 

* Author: Sriram Sankar 

* Date: 6/11/96 



* This file contains a Java grammar and actions that implement a 

* front-end. 

* 

* Modified 24 Feb 98 by LT James D. Harvey, USN. 

★ 



★ 

* 

* 

* 

* 

* 

* 

* 

★ 

* 

* 

* 

* 

* 

* 

★ 

* 

★ 

★ 

* 

•k 

★ 

★ 

★ 

★ 



Modifications have been made to incorporate a type checker into the 
compiler. Several portions of the Java language have been disabled 
in this version because the type checker does not support them. The 
portions that are not implemented are as follows: 



Static Initializers 
Arrays 

Explicit Constructor Invocation 
Conditional Expressions 
Instanceof Expressions 

Preincrement and PreDecrement expressions 

Cast Expressions 

Allocation Expressions 

Labeled Statements 

Switch Statements 

For Statements 

Break Statements 

Continue Statements 

Return Statements 

Throw Statement 

Synchronized Statement 

Try Statement 



★ 

*/ 



* Permission to reproduce has been obtained from Sriram Sankar of Sun Microsystems. 

34 



options { 

LOOKAHEAD = 1/ 
JAVA_UNTCODE_ESCAPE = true; 

} 



PARSER_BEGIN ( JavaParser) 

import thesis. + ; 

public class JavaParser { 

static SymbolGeneratcr sg - new SymbclGenerator 
public static void main (String args[]) f 



JavaParser parser; 

Triple Const raintSet ; 

Gamma gamma = new Gamma ( "myGamma " ) ; 



if (args. length == 0) { 

System. out . println ( n Java Parser Version 1.0.2: Reading from 

standard input . . . " ) ; 

parser - new JavaParser (System. in) ; 

} else if (args. length == 1) { 

System. out . println (" Java Parser Version 1.0.2: Reading from file 

" + args [0] + " . . . ") ; 

try { 

parser = new JavaParser (new java . io . FilelnpUtSt ream ( args [ 0] ) ) ; 

) catch ( java . io . FileNotFoundException e) { 

System. out . println ( "Java Parser Version 1.0.2: File " + 

args[0] + " not found."); 

return; 

) else { 

System. out . println ( "Java Parser Version 1.0.2: Usage is one 

of:") ; 

System. out . println ( " java JavaParser < input file" ) ; 

System. out .println ( "OR" ) ; 

System. out . println ( " java JavaParser input file" ); 

return; 



} 



try { 

Cons traint Set = parser . CompilationUnit ( gamma ) ; 

System. out . println ( "Java Parser Version 1.0.2: Java program 

parsed successfully."); 

} catch (ParseError e) { 

System. out . println ( "Java Parser Version 1.0.2: Encountered 

errors during parse.") ; 



I 



PARSER END ( JavaParser ) 
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SKIP : /* WHITE SPACE +/ 

{ 

It it 

I "\t" 

I "\n" 

I "\r" 

I "\f" 

) 



SPECIAL_TOKEN : /* COMMENTS v / 

{ 

<SINGLE_LINE_COMMENT: "//" i~ [ "\n", "\r"] ) * ("\n" 
I <FORl v IAL_COMMENT : '■/**'■ (~ [”*"])* ("*" | (-[" 

) ) * "/"> 

I <MULTI_LINE_COMMENT: "/*" (-["*"])* ( ” * " | ( 

”*”))* 



"\r" | "\r\n" ) > 

(-["*"])* 

r it * h »i / i» | / ^ r »» + •» 



) + 



TOKEN : /* RESERVED WORDS AND LITERALS */ 

{ 

< ABSTRACT: "abstract" > 

I < BOOLEAN: "boolean" > 

I < BREAK: "break" > 

I < BYTE: "byte" > 

I < CASE: "case" > 

I < CATCH: "catch" > 

I < CHAR: "char" > 

I < CLASS: "class" > 

I < CONST: "const" > 

! < CONTINUE: "continue" > 

I < _DEFAULT : "default" > 

I < DO: "do" > 

I < DOUBLE: "double" > 

I < ELSE: "else" > 

I < EXTENDS: "extends" > 

I < FALSE: "false" > 

I < FINAL: "final” > 

I < FINALLY: "finally" > 

I < FLOAT: "float" > 

I < FOR: "for" > 

I < GOTO: "goto" > 

I < IF: "if" > 

I < IMPLEMENTS: "implements" > 

I < IMPORT: "import" > 

I < INSTANCEOF: "instanceof" > 

I < INT: "int" > 

I < INTERFACE: "interface" > 

I < LONG: "long" > 

I < NATIVE: "native" > 

I < NEW: "new" > 

I < NULL: "null" > 

I < PACKAGE: "package"> 

| < PRIVATE: "private" > 

I < PROTECTED: "protected" > 

I < PUBLIC: "public" > 

I < RETURN: "return" > 



36 



SHORT: "shore" > 

I • STATIC: "static" > 

I < SUPER: "super" > 

: SWITCH: "switch" > 

I < SYNCHRONIZED: "synchronized" > 

I < THIS: "this" > 

I < THROW: "throw" > 

I < THROWS: "throws" > 

I < TRANSIENT: "transient" > 

! < TRUE: "true" > 

: < TRY: "try" > 

I < VOID: "void" > 

! < VOLATILE: "volatile" > 

! < WHILE: "while" > 

) 



TOKEN : /* LITERALS */ 

{ 

< INTEGER_LITERAL: 

<DECIMAL_LITERAL> ( ["1", "L"] ) ? 
| <HEX_LITERAL> ( [ "1 " , "L" ] ) ? 

! <OCTAL_LIT£RAL> ( [ "1 " , "L" ] ) ? 

> 



i 

< # D E C I MAL_ LITE RAL : 

I 

< #HEX LITERAL: "0" 



j- . 9 »j < r "0"-"9" ] 

[ ”x" , "X" ] ( [ "0 



) * > 

"a"-"f ", "A"-"F"] ) + > 



< #OCTAL_LITERAL : "0" ( [ "0"-"7"] ) * > 

< FLOATING_POINT_LITERAL: 

( ["0"-"S"] )+ ( [ ” 0 " - " 9 " ] ) * (<EXPONENT>) ? 

"f", "F", "d", "D"] ) ? 

| ( ["0"-"9"] ) + (<EXFONENT>) ? ( [ "f ", "F" , "d" , "D" ] ) ? 

| ( ["0"-"9"] )+ <EXPONENT> ( [ " f " , "F" , "d" , "D" ] ) ? 

| (["0"-"9"])+ (<EXPONENT>) ? [ "f ” , "F" , "d" , "D" ] 



< # EX PON ENT : ["e","E"] {["+","-"])? (["0"-"9"])+ > 

< CHARACTER_LITERAL : 

fl J tl 



(-[ / ”\\” r "\n", "\r"] ) 

("W" 

( ["n", "t", "b", "r", "f", "\\", ", : 

| [ "0"- "7 " ] ( [ "0 "-"7” ] )? 

3"] [ "0"-"7" ] [ "o"-"7"] 



["O’ 



) 



n r it 

> 
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< STRING_LITERAL : 

"\" " 

( (~["\" H , "\\", " \ n " , "\r"] ) 

I |"\\" 

/ rif„n it V-v »* it v'l il^ru u\\it ifiii ft \ tt it 1 

lin,u,D,r,j_,\\, , \ j 

I [»o«_.. 7 «] ( [ «0"-"7”] )? 

I ["0"-"3"] [ "0"-"7 " ] [ "0"-"7"] 

) 

) 

) + 



TOKEN : /* IDENTIFIERS */ 

{ 

< IDENTIFIER: <LETTER> (<LETTER> | <DIGIT>) * > 

I 

< #LETTER: 

[ 

"\u0024 " , 

"\u0041"-"\u005a", 

"\u005f ", 

"\u0061"-"\u007a", 

"\u00c0"-"\u00d6", 

"\u00d8"- "\u00 f 6" , 

"\u00f8"-"\u00ff", 

"\u0100"-"\ulfff", 

"\u3040"-"\u318f", 

"\u3300"“ ”\u337 f " , 

"\u3400"-"\u3d2d", 

"\u4e00"-”\u9f f f " , 

"\uf900"-"\ufaf f " 

] 



< #DIGIT : 

[ 

"\u0030"-"\u0039", 
"\u0660"-"\u0669", 
"\u06f0"-"\u06f9", 
"\u0966"-"\u096f”, 
"\u09e6"-"\u09ef " , 
M \u0a66"-"\u0a6f " , 
"\u0ae6"-"\u0aef " , 
"\u0b66"-"\u0b6f " , 
"\u0be7"-"\u0bef ", 
"\u0c66"-"\u0c6f", 
"\u0ce6"-"\u0cef " , 
"\u0d66"-"\u0d6f ", 
"\u0e50"-"\u0e59" , 
"\uOedO "\u0ed9 " , 
"\ul040"-"\ul049" 

] 



1 
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TOKEN : /* SEPARATORS V 

{ 

< LPAREN : M (" > 

I < RPAREN: " ) " 

I < LBRACE : " ( " > 

I < RBRACE : M } " > 
LBRACKET: M [ " > 

I RBRACKET : " ] ” > 

! < SEMICOLON: " ; " > 

! < COMMA: " , " > 

I < DOT : " . " > 

} 



TOKEN : /+ OPERATORS */ 

{ 

< ASSIGN: " = " > 

| < GT: ">" > 

| < LT: "<" > 

I < BANG: " ! " > 

| < TILDE: > 

I < HOOK: "?" > 

I < COLON: ” :" > 

| < EQ: "==" > 

| < LE: "<=" > 

| < GE: ">=" > 

| < NE: " ! =” > 

| < SC_OR: •’ll” > 

| < SC_AND: ”&&" > 

I < INCR: "++" > 

! < DECK: > 

| < PLUS: " + " > 

| < MINUS: > 

| < STAR: > 

I < SLASH: "/" > 

I < BIT_AND: > 

| < BIT_OR: "I" > 

| < XOR: ,,AM > 

| < REM: > 

I < LSHIFT: "«" > 

I < RSIGNEDSHI FT : "»” > 

I < RUNSIGNEDSHIFT: > 

I < PLUSASSIGN: "+=" > 

I < MINUSASSIGN: > 

I < STARASSIGN: ,, + = " > 

| < S LAS HAS S I GN : ”/ = " > 

! < ANDASSIGN: ”&=" > 

| < ORASSIGN: " |= ,f > 

| < XORASSIGN: ,,A = ” > 

I < REMASSIGN: n ^=" > 

I < LSHIFTASSIGN: ,, «= ,f > 

| < RSIGNEDSHI FTAS SIGN : "»=" > 

| < RUNSIGNEDSHIFTA3SIGN: ,, >»=" > 



S9 



* THE JAVA LANGUAGE GRAMMAR STARTS HERE * 



/ ’'■ 

+ Program structuring syntax follows. 

V 

Triple CompilationUnit {Gamma gamma) : 
(Triple cs = null;) 

r 

\ 

//[ PackageDeclara tion ( ) ] 

//( ImportDeclaration ( ) ) ^ 

( cs = TypeDeclaration (gamma ) )* 

<EOF> 

{return cs; } 



void PackageDeciaration ( ) : 

{ 1 
{ 



"package" Name ( ) " ; ” 

) 



void ImportDeclaration { ) : 

{ ) 

{ 

"import" Name ( ) [ " . " ,, + M ] " ; " 

) 

Triple TypeDeclaration (Gamma gamma) : 

{Triple cs = null;} 

r 

i 

( LOOKAHE1AD ( ( "abstract" I "final" | "public" )* "class" ) 

cs = ClassDeclaration (gamma) 

I 

Inter faceDeclaration (gamma) 

I 

" ; " ) 

{ return cs ; ) 

) 



/* 

* Declaration syntax follows. 
* / 
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Triple Clas sDeda ration (Gamma gamma, : 

r 

i 

Triple cs = null; 

Dual d = new Dual ( cs gamma ) ; 



( "abstract” | "final" i "public” 

"class” <IDENTIFIER> [ "extends" Name ( j ] ' "implements" NameList( 

" { " ( d = ClassBodyDeclaration (d. gamma ) ) * ")" 

! 

X 

if (d != null) { 
i return d.cs; 

else { 

return cs; 

}//end if 



Dual ClassBodyDeclar ation ( Gamma gamma) : 

{ 

Triple cs = null; 

Dual d = null; 

} 

{ 

( 

/ + 

LOOKAHEAD (2) 

Staticlnitializer ( ) 

I 

V 

LOOKAHEAD ( [ "public" i "protected" | "private" ] Name ( ) "(" ) 

cs = ConstructorDeclaration (gamma) 

{d = new Dual ( cs , gamma ); } 

I 

LOOKAHEAD ( MethodDeclarationLookahead ( ) ) 

d = MethodDeclaration ( gamma ) 

I 

d = FieldDeclaration ( gamma ) ) 

{ 

System. out . println ( "Constraint set: " + d.cs); 

System, out . println ( "Gamma : " + d. gamma); 

return d; 

} 



// This production is to determine lookahead only, 
void MethodDeclarationLookahead!) : 

{ 1 
{ 

( "public" | "protected" | "private" | "static" | "abstract" | 
"final" | "native" | "synchronized" )* 

ResultType ( ) <IDENTIFIER> " ( " 

} 
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void Interf aceDeclaration (Gamma gamma) : 

(Triple c$ = null;} 

{ 

( "abstract” | "public" )* 

"interface" <IDENTIFIER> [ "extends" Name List . ] 

"{" ( Inter f aceMemberDeclaration (gamma ) ) * " ) " 

1 



void Interf aceMemberDeclaration (Gamma gamma) : 

( ) 

{ 

LOOKAHEAD ( MethodDeclarationLookahead ( ) ) 

MethodDeclaration ( gamma ) 

I 

FieldDeclaration (gamma) 

1 



Dual FieldDeclaration ( Gamma gamma) : 

{ 

Dual d = null; 



{ 

( "public" | "protected" | "private" | "static" | "final" I 
"transient" | "volatile" ) + 

Type ( ) d = VariableDeclarator ( gamma ) ";" 

{ 

return d; 



Dual VariableDeclarator ( Gamma gamma) : 

{ 

Triple cs = new Triple ( sg . NextSymbol (),"") ; 

String id; 

j 

{ 

id = VariableDeclarator Id ( ) ( "=" cs = Variablelnitializer (gamma ) | 

cs = Default ( ) ) 

{ 

gamma = gamma .Append (new Gammal tern ( id, cs . getType ( ) , " var" ) ) ; 

Dual d = new Dual (cs, gamma); 
return d; 

) 



Triple Default ( ) : 

( 1 

f 



{return new Triple ( sg . NextSymbol () , 

} 



; 1 
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String VariableDeclaratorld ( ) : 

{String id;} 

{ 

<IDENTI FIER> 

{id = token . image ; } 

// { ”[" "]" ) * 

{ return id; } 



Triple Variablelni tializer (Gamma gamma) : 

{Triple cs = null;} 

{ 

/* 

" { " [ Variablelnitializer ( ) ( LOOKAHEAD ( 2 ) " , " Variablelni tializer ( ) 

)* ] [ ] "l" 



*/ 

cs = Expression ( gamma ) 
{ return cs ; } 

} 



Dual MethodDeclaration ( Gamma gamma) : 

{ 

Triple cs = null; 

Dual d = new Dual (cs, gamma) ; 

Gamma temp; 

Gamma param = new Gamma ("param") ; 

} 

{ 

( "public” | "protected" | "private" | "static" | "abstract" | 
"final" | "native" | "synchronized" )* 

ResultType ( ) 

temp = MethodDeclarator ( gamma , d) 

{ 

while ( ! (temp . is Empty ( ) ) ) { 

Gammaltem gi = (Gammaltem) temp . getFromList () ; 
gamma = gamma .Append (gi ) ; 
param = param. Append (gi ) ; 
temp - temp . remove FromList () ; 

}//end while 

} 

[ "throws" NameListf) ] 

( cs = Block (gamma) | " ; " ) 

{ 

Gammaltem GI = new Gammal tern (d. id, cs . getType ( ) , "proc"); 

GI . setParam (param) ; 
d . gamma = d . gamma . Append ( GI ) ; 
return new Dual ( cs, d . gamma) ; 

} 
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Gamma MethodDeclarator ( Gamma gamma. Dual d) : 
{ String id; } 

{ 

<IDENTIFIER> {id = token . image ; ] 
gamma = FormalPa rameters { ) ( " [ " "] " )* 

{ 

d.id = id; 
return gamma; 

} 



Gamma FormalParameters ( ) : 

{Gamma temp = new Gamma ("temp") ; ) 

{ 

" { " [ temp = FormalParameter ( temp ) ( temp = FormalParameter { temp) 

)* 1 ")" 

{return temp;} 

} 



Gamma FormalParameter ( Gamma gamma) : 

{String id;} 

{ 

Type ( ) id = VariableDeclaratorld ( ) 

{ 

gamma = gamma .Append (new Gammaltem(id, sg . NextSymbol ( ) , "var M ) ) ; 
return gamma; 



Triple ConstructorDeclaration (Gamma gamma) : 

{Triple cs = null;} 

i 

[ "public” | "protected" | "private" ] 

< I DENT I FI ER> gamma = FormalParameters ( ) [ "throws" Namelist ( ) ] 

"{" // [ LOOKAHEAD (2) ExplicitConstructorlnvocation ( ) ] 

( cs = BlockStatement ( gamma ) ) * " ) " 

{ return cs ; } 

} 

/* 

void Explici tConstructorlnvocation ( ) : 

{} 



"this" Arguments ( ) " ; " 

I 

"super" Arguments ( ) "; 

} 
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void Staticlnitializer ( • : 

{ ! 

/ 

l 

"static" Block ( ) ) 

*/ 

/* 

* Type, name and expression syntax follows. 
*/ 

void Type ( ) : 

{ ) 

{ 

( PrimitiveType ( ) | Name ( ) ) ( "[" "]" )* 

} 

void PrimitiveTvpe { ) : 

{ } 

{ 

"boolean" 

I 

"char" 

I 

"byte" 

I 

"short" 

I 

"int" 

I 

"long" 

I 

"float" 

I 

"double" 

} 

void ResultType() : 

{ } 

{ 

"void” 

I 

Type ( ) 

} 
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String Name ( ) : 

/ + 

* A lookahead of 2 is required below since "Name" can be followed 

* by a " . * " when used in the context of an "ImportDeclaration" . 

V 

{String id; ) 

/ 

i 

<IDENTIFIER> 

{id = token . image ; } 

// ( LOOKAHEAD (2) ” . ” <IDENTI FIER> )* 

{return id;} 

} 

void NameList() : 

{} 

{ 

Name ( ) 

( " , " Name ( ) 

) * 



/* 

+ Expression syntax follows. 

*/ 

Triple Expression ( Gamma gamma) : 

{Triple cs; } 

{ 

( LOOKAHEAD ( PrimaryExpression ( gamma ) AssignmentOperator ( ) ) 

cs = Assignment (gamma ) 

I 

cs = ConditionalOrExpression (gamma) ) 

{ return cs ; } 
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Triple Assignment ( Gamma gamma; : 

{ 

String id; 

Triple cs; 



id = PrimaryLef tExpression ( ) AssignmentOperator { 1 cs = 
Expression ( gamma ) 

{ 

Gammaltem item = gamma . FindType ( id) ; 
if (item ! = null ) { 

String mod = item. getModif ier ( ) ; 
i f (mod . equals ( "var ” ) || mod . equals ( "acc" )) { 

String tau = item. getType () ; 

String tauPrime = cs . getType () ; 

String alpha = sg . Next Symbol () ; 

Cons traintl tern cil = new Const raintl tern ( tau, tauPrime ) ; 
ConstraintI tern ci2 = new Cons traintltem ( tauPrime, tau ) ; 
Cons traintl tern ci3 = new ConstraintI tem ( alpha, tauPrime ) 
cs = cs . Append ( ci 1 ) ; 
cs = cs .Append ( ci2 ) ; 
cs - cs .Append ( ci3 ) ; 
cs . setModi f ier ( "cmd" ) ; 
cs . setType (alpha ) ; 

) 

else { 

System. err . println ( "Secure Parse failed"); 

System. exit ( 0 ) ; 

}//end if 

} 

else { 

System, out . println ( "Unrecognized variable " 4 - id); 
System. exit ( 0 ) ; 

} //end if 
return cs; 

) 

} 

void AssignmentOperator ( ) : 

f ) 

{ 

ft _ II | 114- II | It j M j It .j. II | tl_|__tt | II _ — II j ll^^—ll j tt-^-^—tl 

" & = " | " A = " | " | = " 

} 

/* 

void ConditionalExpression ( ) : 

{ ) 



ConditionalOrExpression ( ) [ "?" Expression () 

ConditionalExpression ( ) ] 

1 

V 
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Triple ConditionalOrExpression ( Gamma gamma) : 

r 

i 

Triple csl; 

Triple cs2 = null; } 

! 

csl = Condi tionalAndExpression ( gamma ) ( ” || " cs2 = 

Condi tionalAndExpression (gamma ) 

{ 

if (cs2 ! = null) { 

String taul = csl . getType () ; 

String tau2 = cs2 . getType () ; 

ConstraintI tem cil = new Const raint I tern ( taul , tau2 ) 
Constraintltem ci2 = new Cons traintl tem ( tau2 , taul ) 
csl = csl . Union ( cs2 ) .Append ( ci 1 ) .Append ( ci2 ) ; 

) 



) + 

{ return csl ; } 



Triple Condi tionalAndExpression ( Gamma gamma) : 

{ 

Triple csl; 

Triple cs2 = null; 



{ 

csl = InclusiveOrExpression ( gamma) ( "&&" cs2 = 
InclusiveOrExpression (gamma) 

{ 

if ( cs2 ! = null ) { 

String taul = csl . getType () ; 

String tau2 = cs2 . getType () ; 

Constraintltem cil = new ConstraintI tem ( taul , tau2 ) 
Constraintltem ci2 = new ConstraintI tem ( tau2 , taul ) 
csl = csl . Union ( cs2 ) .Append ( cil ) .Append ( ci2 ) ; 

} 

1 

) * 

{ return csl ; ) 
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Triple InclusiveOrExpression ( Gamma gamma) : 

{ 

Triple csl; 

Triple cs2 = null; 



csl = Exclusi veOrExpr ession ( gamma ) [ "| M csz. = 

ExclusiveOrExpression (gamma) 

{ 

if {cs2 ! = null) ( 

String taul - csl . getType () ; 

String tau2 = cs2 . getType () ; 

Constraint! tern cil = new Const raint Item ( taul , tau2 ) ; 
Constraint! tern ci2 = new Cons traintl tern ( tau2 , taul ) ; 
csl = csl .Union {cs2 ) .Append(cil) .Append(ci2) ; 

} 

} 

) + 

{ return csl ; } 



Triple ExclusiveOrExpression ( Gamma gamma) : 

{ 

Triple csl; 

Triple cs2 = null; 

} 

r 

t 

csl = AndExpression (gamma) ( f,A " cs2 = AndExp ressi on ( gamma) 

{ 

if (cs2 ! = null) { 

String taul = csl . getType () ; 

String tau2 = cs2 . getType () ; 

Constraintltem cil - new Constraint! tern ( taul , tau2 ) ; 
Constraintltem ci2 = new Const raintl tern { tau2 , taul ) ; 
csl = csl . Union (cs2) .Append (cil ) .Append (ci2 ) ; 

} 

) 

) + 

{ return csl ; } 
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Triple AndExpression (Gamma gamma) : 

{ 

Triple csl; 

Triple cs2 = null; 



csl = EqualityExpression (gamma) ( cs2 = EqualityExpression (gamma ) 

{ 

i f ( cs2 ! = null ) ( 

String taul = csl . getType () ; 

String tau2 = cs2 . getType () ; 

Const raintltem cil = new ConstraintI tern ( taul , tau2 ) ; 

ConstraintI tern ci2 = new Cons traint Item ( tau2 , taul ) ; 
csl = csl . Union ( cs2 ) .Append (cil ) .Append ( ci2 ) ; 

) 

) 

) * 

( return csl; } 



Triple Equal! tyExpression ( Gamma gamma) : 

{ 

Triple csl; 

Triple cs2 = null; 

) 

{ 

csl = RelationalExpression (gamma) ( ( "==" | " !=" ) cs2 = 

RelationalExpression (gamma) 

{ 

if (cs2 ! = null) { 

String taul = csl . getType () ; 

String tau2 = cs2 . getType () ; 

ConstraintI tem cil = new ConstraintI tem ( taul , tau2 ) ; 
ConstraintI tern ci2 = new Cons traintl tem ( tau2 , taul ) ; 
csl = csl . Union ( cs2 ) .Append (cil ) .Append (ci2 ) ; 



) * 

{ return csl ; } 



/* 

void InstanceOf Expression ( ) : 

{ ) 

{ 

RelationalExpression ( ) [ "instanceof" Type ( ) ] 

} 

*/ 
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Triple Relat ionalExpression ( Gamma gammaj : 

{ 

Triple csl; 

Triple cs2 = null; 

} 

{ 

csl = Shif tExpression (gamma) ( ( M <" | ">" ' ’V=" | ">=" 

Shi f tExpression (gamma) 

{ 

if ( cs2 ! = null ) { 

String taul = cs 1 . getType ( ) ; 

String tau2 = cs2 . getType () ; 

Constraint Item cil = new Const raint I tern ( taul , tau2 ) ; 
ConstraintI tern ci2 = new ConstraintI tem( tau2 , taul ) ; 
csl = csl .Union (cs2) .Append(cil) .Append(ci2) ; 

} 



{ return csl ; } 

} 

Triple Shif tExpression ( Gamma gamma) : 

{ 

Triple csl; 

Triple cs2 = null; 

1 

{ 

csl = AdditiveExpression (gamma) ( ( "<<” | "»" | "»>" 

Addi tiveExpression (gamma) 

{ 

if (cs2 ! = null) { 

String taul - csl . getType () ; 

String tau2 = cs2 . getType () ; 

Constraintltem cil = new Const raint Item ( taul , tau2 ) ; 
ConstraintI tern ci2 = new Const raint I tern ( tau2 , taul ) ; 
csl = csl . Union ( cs2 ) .Append ( cil ) .Append ( ci2 ) ; 

} 

} 

) + 

( return csl ; } 



} cs2 



) cs2 
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Triple Addi tiveExp res s ion (Gamma gamma) : 

{ 

Triple csl; 

Triple cs2 = null; 



csl = MultiplicativeExpression ( gamma ) ( ( " + " | ) cs2 

Mul tipi i cat ive Expression ( gamma ) 

{ 

i f ( cs2 ! = null ) { 

String taul = csl . getType () ; 

String tau2 = cs2 . getType () ; 

Cons t raint I tem cil = new ConstraintI tern ( taul , tau2 ) ; 
ConstraintI tern ci2 = new ConstraintI tem ( tau2 , taul ) ; 
csl = cs 1 . Union ( cs2 ). Append ( ci 1 ). Append ( ci2 } ; 

} 

1 r 

{ 

return csl; 



Triple MultiplicativeExpression ( Gamma gamma) : 

( 

Triple csl; 

Triple cs2 = null; 

} 

{ 

csl = UnaryExpression (gamma) ( ( | ”/" I ) cs2 = 

UnaryExpression ( gamma) 

{ 

if ( cs2 ! = null ) { 

String taul = cs 1 . getType () ; 

String tau2 = cs2 . getType () ; 

Constraintltem cil = new ConstraintI tem ( taul , tau2 ) ; 
Constraintltem ci2 = new ConstraintI tem ( tau2 , taul ) ; 
csl = csl .Union (cs2 ) .Append ( cil ) .Append ( ci2 ) ; 



} ) * 

{ 

return csl; 

} 
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Triple UnaryExpression ( Gamma gamma, : 

{Triple cs ; } 

( 

({ | ) cs = UnaryExpression ■ gamma ; 



PrelncrementExpression ( ) 

I 

PreDecrementExpression ( ) 



cs = UnaryExpressionNotPlusMinus ( gamma ) } 

{ return cs ; ) 



/ + 

void PrelncrementExpression ( ) : 

{ ) 

{ 

"++" PrimaryExpression ( ) 

} 

void PreDecrementExpression ( ) : 

{ ) 

{ 

PrimaryExpression ( ) 

} 

V 

Triple UnaryExpressionNotPlusMinus ( Gamma gamma ) 
{ Triple cs ; } 

{ 

{( I "I" ) cs = UnaryExpression (gamma) 

I 

/ + 

LOOKAHEAD ( Cas tLookahead ( ) ) 

CastExpression ( ) 

I 

V 

cs = Post fixExpression (gamma ) ) 

{ return cs ; } 

) 
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/ + 

// This production is to determine lookahead only. The LOOKAHEAD 
// specifications below are not used, but they are there just to 
// indicate that we know about this, 
void CastLookahead ( ) : 

{ } 

{ 

LOOKAHEAD (2) 

" ( " PrimitiveType ( ) 

I 

LOOKAHEAD ( " ( M Name ( ) " [ " ) 

" (" Named " [ " ”] " 

" (" Named " ) " ( I " ' ,f I " ( " I <IDENTIFIER> | "this” | "super” 

"new" | Literal () ) 

} 

V 

Triple Post fixExpression ( Gamma gamma) : 

{Triple cs; ) 

{ 

cs = PrimaryExpression (gamma) // [ "F+" | ] 

{return cs;} 

} 



/ + 

void CastExpression ( ) : 

U 

{ 

(LOOKAHEAD (2) 

" ( " PrimitiveType ( ) ( " [ " "]" )* ")" UnaryExpression ( ) 

I 

"(" Named ( " [ " "l" ) + " ) " UnaryExpressionNot PlusMinus ( ) ) 

} 

V 

Triple PrimaryExpression (Gamma gamma) ; 

{Triple cs = null;} 

{ 

cs = PrimaryPrefix (gamma) // ( PrimarySuf fix ( gamma) )* 

{ return cs ; } 

} 
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Triple Prima ry Prefix ( Gamma gamma; : 



Triple cs = null; 
Triple csl = null; 
Triple cs2 = null; 
String id = null; 
Gamma temp = null; 



( cs = Literal ( ) 

[ "this " " . "] id = Named 

{ 

Gammaltem item = gamma . FindType ( id ) ; 
i f (item 1 = null ) { 

String mod = i tem. getModi f ier ( ) ; 
if (mod. equals ( "var" ) || mod . equals ("”)) { 

String tau = item. getType ( ) ; 

String alpha = sg. NextSymbol ( ) ; 

ConstraintI tem cil = new Cons traintl tern ( tau, alpha ) ; 
cs = new Triple (cil, alpha, ”") ; 

} 

else if (mod . equals ( "proc" )) { 
temp = item. getParam ( ) ; 

} 

else { 

System. err . println ( "Secure Parse failed"); 

System. exit ( 0 ) ; 

[//end if 

} 

else { 

System. out . println ( "Undefined variable: " + id) ; 

// System. exit ( 0 ) ; 

temp = new Gamma ( "temp" ) .Append (new Gammal tem ("", sg, "")) ; 
[//end if 

} 

[ "(" [ csl = PrimaryPref ix ( gamma ) 

{ 

//create constraint type (csl) = type(param) 

String tauPrime = cs 1 . getType () ; 

String taul = ( (Gammal tem) temp . getFromList ()). getType () ; 
temp . removeFromList ( ) ; 

ConstraintI tem cil = new Cons traintl tem ( taul , tauPrime) ; 
ConstraintI tem ci2 = new Const raintl tem ( tauPrime , taul ) ; 

//add constraint to csl 

csl = csl .Append ( cil ) .Append (ci2 ) ; 

cs = csl; 

} 

( "," cs2 = PrimaryPref ix (gamma ) 

{ 

//create constraint type(cs2) = type(param) 

String tauDoublePrime = cs2 . getType () ; 

String tau2 = ( (Gammaltem) temp . getFromList ()). getType () ; 
temp. removeFromList ( ) ; 

Cons traintl tem ci3 = new Cons traintl tem ( tau2 , tauDoublePrime ) 



Constraint! tem ci4 = new Cons t raintl tem ( tauDoublePrime , tau2 ) 



//csl Union cs2 

csl = cs 1 . Union ( cs2 ) ; 

//add constraint to csl 

csl = csl .Append ( ci3) .Append ( ci4 ) ; 

cs - csl; 




" ) " ] 



"this " 



"super" <IDENTIFIER> 

V 
I 

" ( " cs = Expression ( gamma ) " ) " 

/* 

I 

AllocationExpression ( ) 

*/ 

) 

{ return cs ; } 

} 

/* 

Triple PrimarySuf f ix ( ) : 

{ ) 

{ 

" [" Expression!) " ] " 

I 

<IDENTI FIER> 

I 

Arguments ( ) 

} 

V 

String PrimaryLef tExpression ( ) : 

U 

{ 

[ "(" ][ "this" ] Name() [ " ) " ] 

{ return token . image; } 

} 
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Triple Literal { ) : 

{ } 

{ 

( <INTEGER_LITERAL> 
<FLOATING_POINT_LITERAL> 

1 

<CHARACTER_LITERAL> 

I 

<STRING_LITERAL> 

i 

BooleanLiteral ( ) 

! 

NullLiteral ( ) ) 

{return new Triple ( sg . NextSymbol (/ , 



void BooleanLiteral { ) : 

{ 1 
{ 

’’true” 

I 

"false" 

i 



void NullLiteral { ) : 

{ } 

{ 

"null" 

} 

/ + 

void Arguments () : 

{ } 

{ 

" (" [ ArgumentList ( ) ] " ) " 

} 

Triple Argument List ( Gamma gamma) : 

{} 

{ 

Expression {) ( Expression () )* 



} 



void Ai locationExpression ( ) : 

{ ) 

{ 

LOOKAHEAD (2) 

"new" PrimitiveType ( ) ArrayDimensions ( ) 

I 

"new" Name ( ) ( Arguments () I ArrayDimensions { ) ) 

) 

*/ 

/* The second LOOKAHEAD specification below is to parse to 
+ PrimarySuf fixif there is an expression between the */ 

/* 

void ArrayDimensions ( ) : 

{ ) 

{ 

( LOOKAHEAD (2) Expression ( ) "]" )+ ( LOOKAHEAD (2) "[" "] " )* 

) 

*/ 

/* 

* Statement syntax follows. 

* / 

Triple Statement ( Gamma gamma) : 

{Triple cs = null;) 

I 

(LOOKAHEAD (2) 

/* 

LabeledStatement ( ) 

I 

*/ 

cs = Block (gamma) 

I 

cs = EmptyStatement (gamma) 

I 

cs = StatementExpression (gamma ) 

I 

/* 

SwitchStatement ( ) 

I 

V 

cs = I f Statement ( gamma ) 

I 

cs = WhileStatement ( gamma ) 

I 

cs = DoStatement ( gamma ) 

/* 

I 

ForStatement ( ) 

I 

BreakStatement ( ) 

I 

ContinueStatement ( ) 

I 

ReturnStatement ( ) 
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ThrowStatement ( ) 



SynchronisedStatement ■ 
TryStatement ( ) 

V 

) 

{ return cs ; } 



/ + 

void LabeledStatement ( ) : 

{ } 

f 

<1 DENTI FI ER> " : " Statement ( ) 

} 

V 

Triple Block (Gamma gamma) : 

{ Triple cs ; ) 

{ 

"l” cs = BlockStatementList ( gamma ) " } 

{return cs; } 

} 



Triple BlockStatementList ( Gamma gamma) : 

{ 

Triple csl = null; 

Triple cs2; 

} 

{ 

( LOOKAHEAD (2) cs2 = Blocks tatement ( gamma ) 

{ 

i f ( cs2 ! = null ) { 
if (csl == null ) { 
csl = cs2; 

} 

else) 

String taul = csl . getType () ; 

String tau2 = cs2 . getType () ; 

Constraintltem cil = new Cons traintl tern ( taul , tau2 ) 
ConstraintI tern ci2 = new Const raintl tern ( tau2 , taul ) 
csl = csl . Union ( cs2 ) ; 
csl = csl .Append (cil) ; 
csl = csl .Append ( ci2 ) ; 

}//end if 
}//end if 



) + 

{ return csl ; } 
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Triple Blocks tatement ( Gamma gamma) : 
{ Triple cs ; } 

{ 

(LOOKAHEAD (Type ( ) <1 DENTI FI ER> ) 

cs = LetvarStatement ( gamma ) 

c s = Statement (gamma) ) 

{ return cs ; } 



Triple LetvarStatement (Gamma gamma) : 

{ 

Dual d; 

Triple cs = null; 



d = LocalVariableDeclaration ( gamma ) " ; " 

{ gamma = d . gamma ; } 

cs = BlockStatementList ( gamma ) 

{ 

if ( cs ! = null ) { 
cs . Union ( d . cs ) ; 
cs . setModif ier ( "cmd" ) ; 

) 

else { 

cs = d.cs; 



return cs; 

) 

) 



Dual LocalVariableDeclaration ( Gamma gamma) : 
{ Dual d; ) 

{ 

Type () 

d = VariableDeclarator (gamma) 

( VariableDeclarator (gamma) )* 

{ return d; ) 

) 



Triple EmptyStatement ( Gamma gamma) : 

{} 

{ 



{return new Triple ( sg . NextSymbol (), "cmd" ); } 

1 
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Triple Statement Expression ( Gamma gamma/ : 

/ + 

+ The last expansion of this production accepts more than the legal 
+ Java expansions for StatementExpression . 

V 

{Triple cs ; ) 

{ 

{ LOOKAHEAD ( Primar yExpression ( gamma ) AssignmentOperator (gamma ) ) 

cs = Assignment ( gamma ) 

I 

cs = Post fixExpression (gamma ) ) 

{ return cs ; } 






void SwitchStatement ( ) : 

{ } 

{ 

"switch" "(" Expression () " ) " " { " 

( SwitchLabel ( ) ( BlockStatement ( ) 

»i j «» 



) + 



void SwitchLabel ( ) : 

{] 

{ 

"case" Expression ( ) " : " 

I 

"default" ":" 

} 
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Triple I f Statement (Gamma gamma) : 

/ + 

* The disambiguating algorithm of JavaCC automatically binds dangling 
+ else's to the innermost if statement. The LOOKAHEAD specification 

* is to tell JavaCC that we know what we are doing. 

V 

{ 

Triple cs; 

Triple csl; 

Triple cs2 = null; 



"if" "(" cs = Expression (gamma) " ) " 
csl = Statement (gamma ) 

[ LOOKAHEAD (1) "else" cs2 = Statement ( gamma ) ] 

{ 

String tau = cs . getType ( ) ; 

String taul = csl . getType () ; 

String alpha = sg . NextSymbol ( ) ; 

ConstraintI tem cil = new ConstraintI tem (tau, taul ) ; 

Const raintl tern ci2 = new ConstraintI tem ( taul , tau ) ; 

ConstraintI tem ci3 = new ConstraintI tem (alpha, tau) ; 

cs = cs . Union (csl ) .Append ( cil ) .Append ( ci2 ) .Append ( ci3 ) ; 

cs . setType (alpha ) ; 

cs . setModifier ( " cmd" ) ; 

if ( cs2 ! = null ) { 

String tau2 = cs2 . getType () ; 

ConstraintI tem ci4 - new ConstraintI tem ( tau , tau2 ) ; 
ConstraintI tem ci5 = new ConstraintI tem ( tau2 , tau ) ; 
ConstraintI tem ci6 = new ConstraintI tem ( taul , tau2 ) ; 
ConstraintI tem ci7 = new ConstraintI tem ( tau2 , taul ) ; 
cs = 

cs . Union ( cs2 ) .Append(ci4) .Append(ciS) .Append(ci6) .Append(ci7) ; 
}//end if 
return cs; 

} 

} 
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Triple WhileStatement ( Gamma gamma; : 

{ 

Triple csl = null; 

Triple cs2 = null; 



"while" " ( " csl = Expression { gamma ) " ) " cs2 = Statement ( gamma ) 

I 

String tau - cs 1 . getType ( ) ; 

String tauPrime = cs2 . getType () ; 

String alpha = sg . NextSymbol ( ) ; 

Const raintltem cil = new Cons traint I tern { tau, tauPrime ) ; 

ConstraintI tern ci2 = new Const raintl tern ( tauPrime, tau) ; 

ConstraintI tern ci3 = new ConstraintItem(alpha, tau) ; 

csl = cs 1 . Union ( cs2 ) .Append (ci 1 ) .Append { ci2 ) .Append ( ci3 ) ; 

csl . setType (alpha ) ; 

cs 1 . setModi f ier ( "cmd" ) ; 

return csl; 

) 



Triple DoS tatement (Gamma gamma) : 

{ 

Triple csl = null; 

Triple cs2 = null; 



"do" cs2 = Statement (gamma ) "while" " ( " csl = Expression (gamma ) ")" 



String tau = cs 1 . getType () ; 

String tauPrime = cs2 . getType () ; 

String alpha - sg . NextSymbol ( ) ; 

Const raintltem cil = new ConstraintItem(tau, tauPrime) ; 

ConstraintI tem ci2 = new Const raintltem ( tauPrime, tau) ; 

ConstraintI tern ci3 = new Const raintltem ( alpha , tau) ; 

csl ~ csl.Union(cs2) .Append(cil) .Append(ci2) .Append(ci3) ; 

csl . setType (alpha) ; 

cs 1 . setModi f ier ( "cmd" ) ; 

return csl; 

} 



/ + 

void ForStatement ( ) : 

{} 

{ 

"for" "(" [ ForlnitO ] ";" 

[ Expression () ] ";" 

[ ForUpdateO ] " ) " 

Statement ( ) 

) 
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void For I nit ( ) : 



LOOKAHEAD ( Type { ) <TDENTIFIER> ) 
LocalVariableDeclaration { ) 

StatementExpressionList ( ) 



void StatementExpressionList ( ) : 

{) 

{ 



StatementExpression ( ) ( StateraentExpression ( ) 

} 



void ForUpdate() : 

{ } 

{ 

StatementExpressionList ( ) 

) 

void BreakStatement ( ) : 

{} 

{ 

"break" [ CIDENTI FIER> ] 



) 

void ContinueStatement ( ) : 

I) 

{ 

"continue" [ <IDENTIFIER> ] 

) 

void ReturnStatement ( ) : 

{) 

{ 



"return" [ Expression () ] 

) 

void ThrowStatement ( ) : 

{ ) 

{ 



"throw" Expression () 

} 

void SynchronizedStatement ( ) : 

{ ) 

{ 



"synchronized" "(" Expression!) 

) 



") " Block! ) 



) * 
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Block () ) 



void TryStatement ( ) : 

{ } 

{ 



"try" Block () 

( "catch” "(" FormalParameter ( ) 
[ "finally" Block ( ) ] 

) 

*/ 



II 



ii 
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APPENDIX B - STATIC ANALYZER SOURCE CODE 
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+ ++ + + + + -*- 4 - 



//** 

// 

// 

// 

// 

// 

// 

// 

//* + 



4 - 4 . 4 - 4 - 44 - 4 - 44 - 4 - 4 - + 4 - 4 - 4 - 4 - 4 - 4 ' + 4 - 

File: Gamma. java 
Date: 24 Feb 98 



Author: LT James D. Harvey, USN 



Purpose : 



Developed as part of a secure information flow static 
analyzer. Basically a linked list. 



package thesis; 



import java.io.*; 



public class Gamma 

f 

protected Object ob j ; 
protected Gamma next; 
protected Gamma rear = null; 
public String name; 



public Gamma (String name) 

f 

this.obj = null; 
this. next = this; 
this. name = name; 



if ( rear == null ) 
rear = this; 



private Gamma ( ) 

f 

this.obj = null; 
this. next = this; 



public Object getFromList ( ) 

{ 

return this.obj; 

) 



public Gamma removeFromList ( ) 

{ 

return this. next; 

} 



public synchronized boolean isEmptyO 

( 

if (this == rear) 
return true; 
else 

return false; 
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public Gamma Append (Gammal tern gi . 

{ 

Gamma g = new Gamma ( ) ; 
g.obj = gi; 
g.next = this; 
return g; 



public Gammaltem FindType ( String name) 

! 

Gammaltem temp = null; 

Gamma list = this; 
boolean matchFound = false; 

do { 

if(list.obj " null) 
return null; 

String item = ( (Gammal tern) list . obj ). Name 

if (item. equals ( name ) ) { 

temp = { Gammal tern) list . obj ; 
matchFound = true; 

] 

else { 

list = (Gamma) list . next ; 

}//end if 

' while ( ! matchFound) ; 
return temp; 

} 



public String toStringU 

( 

i f ( i s Emp t y ( ) ) 
return " " ; 
else 

return ( this . obj + ,T ” + this. next); 

i 

} / / end garnma class 



69 









J y V + 4- + 4- + *- + + 4-4-4-4-4-4-4-4--t 

// File: Gammal tern, j ava 
// Date: 24 Feb 98 
// 

// Author: LT James D. Harvey, USN 

// 

// Purpose: Developed as part of a secure information flow static 

// analyzer. It is an item to be placed into gamma. The 

// structure consists of a name and a type. The type may 

// consist of 1-3 fields. 

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + * + + + 

package thesis; 

import java.io.*; 

public class Gamrnaltern 

{ 

protected String Name; 
protected String Type; 
protected String Modifier; 
private Gamma param; 

public Gamrnaltern ( St ring Name, SymbolGenerator sg. String mod) 

{ 

this. Name = Name; 

this. Type = sg . NextSymbol ( ) ; 

this . Modi fier = mod; 

} 



public Gamrnaltern ( String Name, String Type, String mod) 

{ 

this. Name - Name; 
this. Type = Type; 
this . Modi fier = mod; 



public void set Pa ram (Gamma 

{ 

this. pa ram - gamma; 

} 

public Gamma getParamO 

{ 

return this. pa ram; 

} 

public String getName { ) 

{ 



return this. Name; 

} 

public String getType ( ) 

{ 

return this. Type; 

1 



gamma) 
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public String getModifier: 

{ 

return this .Modifier ; 

) 

public String toStringf) 

{ 

i f (Modifier . equals ( "proc " ) ) 1 

return ("(" + Name + + Type + Modifier +"("+ param +")"+")" 

) 

else { 

return ( " ( " + Name + " : " + Type + Modifier + " ) " ); 

) //end if 

) 

}//end class 
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J y+ + + -t-Jr + + 4- + + -*- + + Ic 

// File: Triple. java 
// Date: 24 Feb 98 
// 

// Author: LT James D. Harvey, USN 

// 

// Purpose: Developed as part of a secure information flow static 

// analyzer. The structure consists of a constraint set 

// and a principle type. The type may consist of 1-2 

// fields. 

package thesis; 

public class Triple 

{ 

private LinkedList ConstraintSet; 
private String Type; 
private String TypeModif ier ; 

public Triple() 

{ 

this. Type = "Type"; 

this . TypeModif ier = "mod"; 

ConstraintSet = new LinkedList ( "name" ) ; 

i 

j 



public Triple (Constraintltem ci, String Type, String Modifier) 

{ 

ConstraintSet = new LinkedList ( "name" ) ; 

this. Type = Type; 

this . TypeModif ier = Modifier; 

ConstraintSet = Const raintSet . addToList ( ci ) ; 



public Triple (LinkedList ConstraintSet, String Type, String Modifier) 

{ 

this. Type = Type; 

this . TypeModif ier = Modifier; 

this . ConstraintSet = ConstraintSet; 



public Triple ( String Type, String Modifier) 

{ 

this. Type = Type; 

this . TypeModif ier = Modifier; 

ConstraintSet = new LinkedList ( "name" ) ; 



public String getType() 

{ 

return this. Type; 

) 
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public String getModif ier ( ) 

{ 

return this . TypeModif ier ; 



public void setModif ier (String Modifier; 

{ 

this . TypeModi f ier = Modifier; 



public void setType ( String type) 

{ 

this. Type = type; 



public Triple Union (Triple setTwo) 

{ 

LinkedList temp = this . ConstraintSet ; 
if ( ( ConstraintI tem) temp. obj == null){ 

return new Triple ( setTwo . ConstraintSet , this . Type, 

this . TypeModif ier ) ; 



while ( temp . next . obj != null){ 
temp = temp. next; 

} 



temp. next = setTwo . Const raintSet ; 

this . Const raintSet . rear = setTwo . Constraint Set . rear ; 

return new Triple ( this . ConstraintSet , this . Type, this . TypeModi f ier ) 



public Triple Append ( ConstraintI tem C) 

{ 

return new Triple ( this . ConstraintSet . addToList ( C) , this. Type, 

this . TypeModif ier ) ; 

i 

/ 

public String toStringO 

{ 

return ( " { "+" [ "+ ConstraintSet Type + TypeModif ier +" } " ) 

) 

}//end class 
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//* 






// 


File: Cons traintl tem 


// 


Date: 24 


Feb 98 


// 






// 


Author : 


LT James D. ] 


// 






// 


Purpose : 


Developed < 


// 




analyzer . 


//* 




4 - 4 - 4 - 4 - 4 - 4 - 4 - 4 - 4 - 



is part of a secure information flow static 
The structure consists two types. 



package thesis; 



public class ConstraintI tem 

{ 

protected String Typel; 
protected String Type2; 



public ConstraintItem(String Typel, String Type2) 

{ 

this. Typel = Typel; 
this . Type2 - Type2; 



public String toString ( ) 

{ 

return ( ” ( ” + Typel + " 4- Type2 + " ) " ); 
i 
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// File: LinkedList . j ava 
// Date: 24 Feb 96 
// 

// Author: LT James D. Harvey, USN 

// 

// Purpose: Developed as part of a secure information flow static 

// analyzer. 

j y4'V4.4-4-4-4-^4-4-4-*4-4-4--*-4'4-4'4- + + 

package thesis; 



^ ^ + + ^ 



public class LinkedList 



protected Object ob j ; 
protected LinkedList next; 
protected LinkedList rear = null; 
public String name; 

public LinkedList ( String name) 

/ 

i 

this.obj - null; 
this. next = this; 
this. name - name; 



if ( rear -- null ) 
rear = this; 



private LinkedList () 

r 

\ 

this.obj — null; 
this. next = this; 



public LinkedList addToLis t (Ob j ect o) 

{ 

LinkedList 1 = new LinkedList () ; 
l.obj = o; 
l.next = this; 
return 1; 



public Object get FromList ( ) 

{ 

return this.obj; 

} 

public LinkedList removeFromList ( ) 

( 

return this. next; 

} 
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publxc synchronized boolean isEmpty() 

{ 

i f ( this == rear) 
return true; 
else 

return false; 



public String toString ( ) 

{ 

if ( isEmpty ( ) ) 
return ST "; 
else 

return ( this . obj + " " + this. next) 

/ 

) //end class 
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// 

// 

// 

// 

// 

// 

// 

// 

// 



File: Symbol Genet a tor . j ava 

Date: 24 Feb 98 



Author: LT James D. Harvey, USN 



Purpose 



Developed 
analyzer . 



as part of a secur 
Generates new type 



information 

variables 



package thesis; 



flow static 



import java.io.*; 
import java.lang.^; 

public class SymbolGenerator 

{ 

private int counter = 0; 

private static String TAU = "tau"; 

public synchronized String NextSymbol ( ) 

f 

String Symbol = TAU + counter; 
counter++ ; 
return Symbol; 

} 



public static void main (String [] args) 

{ 

SymbolGenerator sg = new SymbolGenerator () ; 

for (int i = 0; i < 10; i++) { 

System. out . print In ( sg . NextSymbol ( ) ) ; 

i 

j 

} 

}//end class 
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+ * + + + + + + + + + + + + + + + + * + + + + + + + + + * + + + + + + + + + + + 

// File: SyrnbolGenetator . j ava 
// Date: 24 Feb 98 
// 

/ / Author: LT James D. Harvey, USN 

// 

// Purpose: Developed as part of a secure information flow static 

// analyzer. A data structure 

+ + + + + + * + + + + + * + + + + + + + + * + + + * + + + * + + * + + + + + + + + + + 

package thesis; 

public class Dual 

{ 

public Triple cs; 
public Gamma gamma; 
public String id; 

public Dual (Triple cs, Gamma gamma) 

{ 

this . cs — cs; 
this. gamma = gamma; 



} 
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APPENDIX C - TEST PROGRAMS 
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// 

// 

// 

// 

// 

// 

// 

// 

// 



+ + 4- + + + + + + + ++ + + + -t+ + + + + + + + + ++ + + + + + 4- + + + + + + + + 

File : test . j ava 
Date: 24 Feb 98 

Author: LT James D. Harvey, USN 

Purpose: Developed as part of a secure 

analyzer . 

4- + + + 4-+ + + 4- + 4-++-Jr-lr + ++ 4-4-4-+4- + + + + + -lr+-*- + + 4- + + + + + -Jr + 



class test 

{ 

public static void pl(int x, int y) 



information 






flow static 



} 




x; 



The output of the static analyzer on the above program produced the following results: 

Constraint set: (13 < 12, T2 = ii. To < T2 } 

Gamma: pi : 13 proc (tovar, tivar) 

Results show, with x: Tovar and y: tivar, that to < ti. This is what we would expect to 
ensure secure flow since the program assigns the value of x to y. 
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// File: test. java 
// Date: 24 Feb 98 
// 

// Author: LT James D. Harvey, USN 

// 

// Purpose: Developed as part of a secure information flow static 

// analyzer. 

class test 

{ 

public static void pl(int x, int y) 

{ 

i f ( x == 0) 
y = 0; 
else 

y = i; 

) 

} 



The output of the static analyzer on the above program produced the following results. 

Constraint set: {17 = is, x 7 - x 2 , x» < 12, x? = t?, x? = x 2 , 

Xo < X 2 , X5 < X 4 , X 4 = Xi, X 7 < X 6 , X 6 - XI } 

Gamma: pi : Xgproc (xovar, xivar) 



81 



// File: test. java 
// Date: 24 Feb 98 
// 

// Author: LT James D. Harvey, USN 

// 

// Purpose: Developed as part of a secure information 

// flow static analyzer. 

y^/ + + + + ^ + 4-l+^Jri- + + + i + ++ ++ + + ++ V 1 t + + -l-+4-4-+Vi-+ + + + -M- + + + + + + + +Jr 1 t + + + + i- 

class test 

( 

public static void pl(int x, int y) 

( 

int a = x; 
int b = 0; 
while (a > 0) ( 
b = b + 1; 
a = a - 1 ; 

} 

y = b; 

} 

} 



The output of the static analyzer on the above program produced the following results: 
Constraint set: {xu = in, Xi 2 < x 4 , x» = x 4 , x? = x 4 . x 2 < x 4 , Xu = is. 

XK < 16, x 6 = X 3 . 17 = 16. 13 < l6. l\l < 19. 19 = X 2 . 

Xio = 19, h < X 9 , Xu < x 1 3 , Xi - Xn, x 3 < x ]3 , x 0 < x 2 J 
Gamma = pi: Xi 2 proc(xovar, xivar) 

A partial trace of the analysis of this program is shown in Chapter VI 
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+ + + + + * + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 

// File: test. java 
// Date: 24 Feb 98 
// 

// Author: LT James D. Harvey, USN 

// 

// Purpose: Developed as part of a secure information 

// flow static analyzer. 

yy4. + + + + + + 4- + 4. + + + + 4- + + + * + + + + + -t + -t + + + + -t+ + + + + + 4- + -i-+ + + 4.+ + + + .4.+ + + + 4- + 

class test 

{ 

public static void pl(int x, int y) 

l 

int a = x; 
int b = 0 ; 
while (a > 0) { 
b = b + 1 ; 
a = a - 1; 

) 

y = b; 



public static void p2(int a, int b) 

{ 

a = a + 4 ; 
b = b + 2; 

i f ( a > b) { 
pi (b, a) ; 

} else { 

pi (a, b) ; 

) 

b = a + b; 

} 

public static void main ( ) 

{ 

int s = 1; 
int t = 8; 
do { 

p2 (2, t) ; 
t = t - 1; 

} while ( t > 3) ; 

} 

} 
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The output of the static analyzer on the above program produced the following results: 

1 The First procedure, p 1 , produces: 

Constraint set: Jiu = X12, 112 5 X4, X6 = x 4 , x? = x 4 , *2 < x 4 , 19 = i6, 

IS < 16, X 6 = T?. X 7 - X 6 , X? < X 6 , X| 1 < X 9 , X 9 = X 2 , 

X10 = x 9 , X2 < X 9 , Xu < X13, X 13 = X], X3 < X13, Xo < X2 } 

Gamma: pi: x^proc (xovar, xivar) 

2. The second procedure, p2, produces: 

Constraint set: { X30 — xn, X29 — xn, X20 = X17, xi 9 < X17, Xn = X15, 

Xl8 — X]7, X15 < X 1 7, X22 < X20, X20 = X]6, X21 = X20, 

Xi6 ^ X20, X27 — X25, X27 — X23, X29 < X23, X25 — X23, 

X2 4 = X23, X15 < X23, X16 < X2 4 , X26 = Xo, X25 = Xo, 

X16 < X25, X15 < X26, X28 = Xo, X27 = Xo, X15 < X27, X16 < X28, 
X32 S X30, X30 = Xj6, X31 = X30, Xu < X30, Xi6 < X31 } 

Gamma: p2 : Xnproc (xi_<var, x^var) , 

pi : x^proc (xovar, xivar) 

3. The third procedure, main, produces: 

Constraint set: {x 42 < x.»o, X35 = x 4 o, x 4) = x 40 , X3 4 < x 4 o, 

X37 = X35, X36 = Xi5, X35 = Xi5, X3 4 < X36, 

X39 < X37, X37 = X3 4 , X38 = X37, X3 4 < X37 } 

Gamma: main : x 4 2 proc ( ) , 

p2 : Xn proc ( a : Xi?var, b : Xiovar), 
pi : x^proc (x : xovar, y:xivar) 

4 Gamma is updated with each procedure. 



84 



INITIAL DISTRIBUTION LIST 



Defense Technical Information Center 
8725 John J Kingman Road. Suite 0944 
Fort Bel voir. VA 22060 

Dudley Knox Library 

Naval Postgraduate School 
4 1 1 Dyer Road 
Monterey, CA 93940 

Dr Dan Boger, Chairman. Code CS 
Computer Science Department 
Naval Postgraduate School 
Monterey, CA 93940 

Dr. Dennis Volpano, Code CS/Vd... 
Computer Science Department 
Naval Postgraduate School 
Monterey, CA 93940 

Dr Craig Rasmussen, Code MA/Ra 
Department of Mathematics 
Naval Postgraduate School 
Monterey, CA 93940 

LT James D Harvey 

7090 Brook Dr. 

Morrow, OH 45152 



DUDLEY KNOX LIBRARY 
NAVAL POSTGRADUATE SCHOOL 
MONTEREY CA 33943-5101 



12 



483NPG 

TH 



315 “) 



10/99 22527-200 I 




3 2768 00367946 5 






